Privacy and security practices are at the heart of Smartsheet’s business model, and are essential to the trust we have established with our customers. We expect similar commitments to privacy and security from our service providers, suppliers, business partners, and any other entity that provides goods, products, or services to us (“Vendors”). The purpose of these “Expectations” document is to establish those minimum information security and data privacy standards that we expect Vendors to abide by when performing “services” (i.e., professional or consulting services, cloud software services, software licenses, or providing other goods, products, or services of any sort) for Smartsheet or “processing” (as defined by the Applicable Data Protection Laws) of Smartsheet Information.
Minimum Expectations
Provide Notice to Individuals
Vendors should notify individuals - meaning, any identified or identifiable natural person - about their privacy practices and, if applicable to their business practices, assign a Data Protection Officer (as defined in the GDPR). At a minimum, the notification to individuals must include:
-
a description of types of Personal Data collected;
-
the purposes for which Vendor collects and stores Personal Data;
-
A description of ways in which Personal Data is used by Vendor;
-
the types or identities of third parties with which Company shares Personal Data and the purposes for doing so;
-
a notice informing individuals that they have legal rights (including access, deletion, objection, rectification, etc.) to their Personal Data and their options for exercising such rights, including limiting the use and disclosure of their Personal Data;
-
contact information for any inquiries or complaints, including any relevant establishment in the EU that can respond to individual inquiries or complaints; and
-
a notice to Customers of the possibility to invoke binding arbitration and/or notify a competent data protection authority.
Providing Choice to Data Subjects
Vendors should provide individuals the opportunity to choose if Personal Data (i) will be disclosed to a third party, or (ii) used for a purpose other than that for which it was originally collected or subsequently authorized.
Accountability for Onward Transfers of Data
Vendors should only provide Smartsheet Information to service providers who perform tasks on behalf of and under the Vendor’s instructions and only if such service providers are under confidentiality, security, and data privacy obligations substantially similar to the obligations Vendor owes to Smartsheet. Further Vendors should notify Smartsheet of any such service providers in advance of disclosing any Smartsheet Information.
Vendors should only transfer, disclose, or share Personal Data in accordance with their publicly posted privacy notice.
Security
Vendors should implement and maintain administrative, technical, and physical safeguards to protect Smartsheet Information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. The appropriate administrative, technical, and physical safeguards must ensure a level of security appropriate to the risk. Examples of safeguards include:
-
Administrative safeguards: Only allowing personnel with a business need access to systems; evaluating personnel access levels based on role.
-
Technical safeguards: Require all personnel to lock computers when away from their desks; storing information on a secure network with monitored firewall protection; requiring user authentication via password before allowing access to electronic information systems.
-
Physical safeguards: Storing documents containing data in secured cabinets or rooms; ensuring that documents containing customer information are not left on desks or in other locations that may be visible to individuals not authorized to access data.
Data Integrity and Purpose Limitation
Processing of Smartsheet Information should be limited to the purposes for which it was collected (e.g., honoring contractual commitments), which may include providing the services or compatible purposes (e.g., customer relations, compliance and legal considerations, auditing, security and fraud prevention, or preserving or defending legal rights).
The collection, use, disclosure, transmission, storage and/or disposal of Smartsheet Information should be limited to the extent necessary for a specific business purpose(s), in accordance with data minimization or least privileged principles. Vendors should only use Smartsheet Information, including Personal Data, where a valid need for the information exists. This means limiting the scope of data collected/used and the number of physical and electronic copies; and the retention period of the data. Such purpose limitations should reflect:
-
Data Collection: Vendor should only collect Smartsheet Information and Personal Data that is appropriate for a specific, intended, and authorized use. Vendors should adopt and communicate to their personnel a data collection policy that takes into consideration the following rules:
-
collect only accurate Personal Data;
-
keep Personal Data up-to-date; and
-
collect Personal Data for fair and lawful purposes only that are transparent to individuals.
-
Authorized Use: To access, use, transmit, handle or receive Personal Data, Vendors personnel should be permitted under law, regulation, customer agreements and internal policies to do so, and have a legitimate "need to know" that Personal Data. That authorization only extends to the specific data for which there is a legitimate “need to know” for the purposes of performing the services.
-
Disclosure to Third Parties: Vendors should only share Personal Data with third parties as permitted by law and regulation, and pursuant to customer agreements. No other disclosures to any third party should be permitted.
-
Downloading Personal Data: Smartsheet Information should not be downloaded or stored on any personal device or any other device not controlled by Vendor.
-
Storage of Data: Vendors should only store Smartsheet Information as necessary for and in accordance with (i) the contract between theVendor and Smartsheet, and (ii) the Vendor’s internal policies (e.g., data retention and disaster recovery policies).
-
Transmission of Data: Vendors should not transmit (e.g., via mail, fax, email, instant messaging, etc.) Smartsheet Information without ensuring applicable security controls are in place. Vendors should not transmit such data to anyone who does not need the information. Care should be taken to ensure that emails are sent only to intended recipients.
-
Disposal: Vendors should dispose of Smartsheet Information in accordance with their data retention policy and the written contract between Smartsheet and such Vendor.
Access
Smartsheet believes that individuals have the right to (i) know what Personal Data about them is being stored and/or used by a Vendor, and (ii) correct, amend, or delete that Personal Data as they see fit, except: (i) where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, or (ii) where the rights of persons other than the individual would be violated.
Recourse, Enforcement, and Liability
Vendors should be responsible for any inquiries or complaints regarding their privacy practices and are expected to provide individuals with a mechanism to submit such inquiries and complaints. If an individual is unable to resolve issues with a Vendor, Vendors are expected to provide a mechanism for such individuals to invoke binding arbitration and/or notify a competent data protection authority.
If any Vendor receives an inquiry or complaint on behalf of Smartsheet, Vendors should immediately forward such inquiry or complaint to Smartsheet at privacy@smartsheet.com
Staff Training and Sanctions
Vendors should only authorize their employees, contractors, or agents to process Smartsheet Information where such employees, contractors, and agents are bound to confidentiality or are under an appropriate statutory obligation of confidentiality. Vendors should subject any such employees, contractors, and agents who are found to be in violation of these Expectations to disciplinary action.
Security Incidents and Breaches of Smartsheet Information
Discovery of Breach
Vendors should notify Smartsheet immediately, and in any event within twenty-four (24) hours if they discover or suspect that there has been any “security incident” including any (i) lose, misuse, or unauthorized access, use, disclosure, modification, processing, disclosure, or destruction of Smartsheet Information, (ii) interference with system operations in an information system (whether Vendor’s or Smartsheet’s) that has access to Smartsheet Information, or (iii) any other act or omission which compromises the security, confidentiality, or integrity of Smartsheet Information. Notifications should be delivered to Smartsheet via email to privacy@smartsheet.com.
Breach Investigation
Vendors should manage the investigation and mitigation of any security incident, and coordinate with Smartsheet as appropriate to ensure the security incident has been remediated and will not reoccur.
Additional Expectations for Lead Generation or Behavioral Advertising Companies and Event Coordination/Planning Companies
Lead Generation Companies
Vendors should ensure any Personal Data provided to Smartsheet has been collected lawfully, in accordance with Applicable Data Protection Laws and that any necessary consents have been acquired and noticed provided, including notifying individuals with respect to further transfer of Personal Data to Smartsheet. In addition, Vendors should be responsible for ensuring they have a lawful basis to enable the transfer of Personal Data to Smartsheet.
Behavioral Advertising Companies
Smartsheet will only work with advertising networks that provide an opt-out from interest based ads, such as those networks that follow the principles set forth by National Advertising Initiative, Digital Advertising Alliance and/or the European Interactive Digital Advertising Alliance.
Event Coordination and Planning Companies
Vendors should ensure all event participation coordination and planning, communications, websites, registration sites, invitations, material distributions, webinar recordings, photographs, and lead generation mechanisms meet Smartsheet's legal and privacy requirements for data collection, consent, and notification. Any collection of personal information must be collected lawfully, in accordance with Applicable Data Protection Laws and that any necessary consents have been acquired and notice provided, including notifying individuals with respect to further transfer of Personal Data to Smartsheet. Vendor will also ensure any follow-up communications and distribution of event materials after the event adheres to Smartsheet's marketing and privacy requirements.
Definitions
“Applicable Data Protection Laws” means, to the extent applicable to a Party, the data protection or privacy laws of any country regarding the Processing of Personal Data.
"Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For clarification, Personal Data includes but is not limited to contact information such as a person’s name, email address and IP address.
“Smartsheet Information” is any and all data obtained by or on behalf of a Vendor concerning or relating to Smartsheet, its business (including legal, financial, and compliance information), or its employees, customers, end-users, partners, or suppliers.
Further Questions Regarding these Expectations
Any additional questions should be directed to Smartsheet’s Privacy team at privacy@smartsheet.com.